Overview of the model. In the trigger generation stage, the attacker uses the raindrops trigger to poison a small portion of training data to generate backdoor samples. In the backdoor embedding stage, the backdoor samples and clean samples are used together to train a DNN to learn the mapping from the raindrops trigger to the target label. In the inference stage, the backdoored model returns the ground-truth labels for clean inputs and the target label for poison inputs.